A technique for over-the-top end-to-end (OTT E2E) information security in a data center providing IT infrastructure for an enterprise network. The technique provides a hardware-to-hardware and/or hardware-to-software PKI over-the-top encryption method that can be applied to both hardware devices and virtual devices. The hardware side may be implemented in a customer premises-based physical enclosure (e.g., a concentrator) having multiple ports. Each port has associated therewith an integrated circuit-based NID. This device provides OSI Layer 2 encryption offloaded to a PKI processor on this chip. Preferably, this process of handling encryption is transparent, with all handling of keys occurring automatically during a device discovery operation. Each key is configured for use for the single port for which the associated device is responsible. This approach allows separate keys on each port to curtail brute force decryption; in the event of key exposure, only one port at a time can become compromised.
|
1. A device, comprising:
a housing having a set of ports; and
a network interface device associated with each port of the set of ports, the network interface device comprising a cryptographic module that transparently encrypts/decrypts OSI Layer 2 (L2) headers associated with data-in-transit to/from the network interface device, the cryptographic module leaving L3 headers unaltered;
wherein each port has an associated cryptographic key that is unique such that compromise of the associated cryptographic key does not expose L2 headers associated with data-in-transit to/from any other network interface device supported in the housing.
6. A system, comprising:
a management platform; and
a concentrator device having a set of ports, wherein a respective port has an associated network interface device comprising a cryptographic module, wherein the cryptographic module transparently encrypts/decrypts OSI Layer 2 (L2) headers associated with data-in-transit to/from the network interface device as the data is communicated between an ip device coupled to the respective port and the management platform, the cryptographic module leaving L3 headers unaltered;
wherein each respective port has an associated cryptographic key that is unique such that compromise of the associated cryptographic key does not expose L2 headers associated with data-in-transit to/from any other network interface device supported in the concentrator.
2. The device as described in
4. The device as described in
7. The system as described as in
8. The system as described in
9. The system as described in
|
This application relates generally to information security.
Enterprise Information Technology (IT) needs are evolving toward on-demand (e.g., cloud-based) services and infrastructure, which are housed in network-accessible data centers. A data center is a physical facility that centralizes an organization's IT operations and equipment (e.g., servers, storage hardware, cables and racks, as well as information security devices such as firewalls), as well as where it stores, manages, and disseminates its data. In addition to the IT equipment itself, a data center includes support infrastructure (e.g., UPS, environmental controls, physical security systems, and the like) to ensure high availability and other service level requirements. Data centers often house a network's most critical systems and thus are vital to the continuity of daily operations. Typically, modern data center architectures also support virtualization to optimize resource utilization and increase IT flexibility. Viewed from an external vantage point, the physical and virtual resources (including support infrastructure) within a data center are a large number of IP-based devices, each of which may be transmitting and receiving data. Such data often transits to or from the data center and thus needs to be protected.
There are many well-known techniques to secure data in transit. Public key cryptography is a cryptographic technique that enables entities to securely communicate on an insecure public network, and reliably verify the identity of an entity via digital signatures. A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed. Typically, a PKI comprises a certificate authority (CA) that stores, issues and signs the digital certificates, a registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA, a secure central directory in which to store and index keys, a certificate management system managing access to stored certificates or the delivery of the certificates to be issued, and a certificate policy stating the PKI's requirements concerning its procedures.
There remains a need to provide for new techniques for information security, especially with respect to data in transit in the context of a data center operating environment with large-scale IP-based deployments.
According to this disclosure, a technique for over-the-top end-to-end (OTT E2E) information security is provided, e.g., in a data center operating environment providing IT infrastructure for an enterprise network. The technique provides a hardware-to-hardware and/or hardware-to-software PKI over-the-top encryption method that can be applied to both hardware devices and virtual devices. In one embodiment, the hardware side is implemented in a customer premise-based physical disclosure (e.g., a concentrator) having multiple ports. Each of the ports has associated therewith an integrated circuit (IC)-based NID (Network Interface Device). This device provides OSI Layer 2 encryption offloaded to a PKI processor on this chip. Preferably, this process of handling encryption is transparent to an end user, with all handling of keys occurring automatically during a device discovery operation. Each key is unique and only configured for use for the single port for which the associated device is responsible. This approach allows separate keys on each port of the concentrator to curtail brute force decryption so that, in the event of key exposure, only one port at a time can become compromised.
The foregoing has outlined some of the more pertinent features of the disclosed subject matter. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed subject matter in a different manner or by modifying the subject matter as will be described.
For a more complete understanding of the subject matter herein and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
In the example embodiment, the data center operating environment 100 is being managed in whole or in part remotely via a remote management platform 106. The remote management platform itself may be implemented in some other data center 108.
Generally, it can be assumed that all or some of the resources within the data center operating environment in
According to this disclosure, and to that end, preferably data connectivity to and from a IP-based resource in the above-described operating environment is secured using a microchip-based network interface device (NID), sometimes referred to herein as a PKI-Crypto IC device, that acts as a power source and collection source to guarantee encryption between any IP-based resource that is coupled to the device. Preferably, this NID device is implemented in a small form factor, e.g., as a pass-through module or built-in circuit, with the encryption being provided by an on-board PKI processor. A representative (but non-limiting) integrated circuit (IC) is a Model ATECC508A, available from Microchip Technology, Inc., which is a crypto engine-based authentication device with highly-secure hardware-based key storage. Other commercial IC-based devices may also be used to provide the encryption layer. An alternative embodiment implements a software-based, which may be referred to as a “crypto soft port.”
Referring now to
As shown in
Physically, an IP-based device within the data center is coupled to a port 202, which as noted above has an associated NID (typically a physical endpoint) that includes an on-board or software-based encryption module (the PKI Crypto IC). As noted, and as depicted in
In this manner, full over-the-top end-to-end L2 encryption is provided for with respect to data-in-transit between the endpoints (namely, the IP device, on the one hand, and the remote management platform, on the other hand). The keys for the encryption preferably are managed by the remote management platform, although this key management may also be carried out in whole or in part on the customer premises. In either case, in the event a particular key (associated to a particular port) is compromised, any such compromise does not impact or effect data on the other ports, which are each protected by their own respective dedicated key(s).
The approach herein thus provides for a transparent layer designed to guarantee some level of encryption on every single packet flowing between two points that have finished a key handshake process. The notion of “transparent” here refers to the fact that the encryption is not necessarily surfaced to the end user (generally, the customer). From there, a customer may still elect to encrypt the frames (in which those encrypted packets are transported) using any technology, in which case each frame is double-encrypted.
As noted, preferably the technique is implemented as a pass-through module or a built-in circuit that contains this technology to facilitate providing the end-to-end encryption. In the embodiment shown in
The following provides additional details of a representative remote management platform that provides one or more management services for a customer data center. A remote management service may be implemented using a set of computing resources that are co-located or themselves distributed. Typically, a service is implemented in one or more computing systems. The computing platform (or portions thereof) may be implemented in a dedicated environment, in an on-premises manner, as a cloud-based architecture, or some hybrid. A typical implementation of the compute infrastructure is in a cloud-computing environment. As is well-known, cloud computing is a model of service delivery for enabling on-demand network access to a shared pool of configurable computing resources (e.g. networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. Available services models that may be leveraged in whole or in part include: Software as a Service (SaaS) (the provider's applications running on cloud infrastructure); Platform as a service (PaaS) (the customer deploys applications that may be created using provider tools onto the cloud infrastructure); Infrastructure as a Service (IaaS) (customer provisions its own processing, storage, networks and other computing resources and can deploy and run operating systems and applications).
The remote management platform may comprise co-located hardware and software resources, or resources that are physically, logically, virtually and/or geographically distinct. Communication networks used to communicate to and from the platform services may be packet-based, non-packet based, and secure or non-secure, or some combination thereof.
More generally, the techniques described herein are provided using a set of one or more computing-related entities (systems, machines, processes, programs, libraries, functions, or the like) that together facilitate or provide the described functionality described above. In a typical implementation, a representative machine on which the software executes comprises commodity hardware, an operating system, an application runtime environment, and a set of applications or processes and associated data, that provide the functionality of a given system or subsystem. As described, the functionality may be implemented in a standalone machine, or across a distributed set of machines.
While the above describes a particular order of operations performed by certain embodiments of the disclosed subject matter, it should be understood that such order is exemplary, as alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, or the like. References in the specification to a given embodiment indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic.
While given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like.
The functionality may be implemented with other application layer protocols besides HTTP/HTTPS, or any other protocol having similar operating characteristics.
There is no limitation on the type of computing entity that may implement the client-side or server-side of any communication. Any computing entity (system, machine, device, program, process, utility, or the like) may act as the client or the server.
While given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like. Any application or functionality described herein may be implemented as native code, by providing hooks into another application, by facilitating use of the mechanism as a plug-in, by linking to the mechanism, and the like.
Patent | Priority | Assignee | Title |
11108744, | Jan 16 2019 | YEALINK (XIAMEN) NETWORK TECHNOLOGY CO., LTD. | Network encryption methods for realizing encryption of local area networks at the bottom layer driver of network cards of embedded devices |
Patent | Priority | Assignee | Title |
6922785, | May 11 2000 | Lenovo PC International | Apparatus and a method for secure communications for network computers |
7716730, | Jun 24 2005 | Oracle America, Inc | Cryptographic offload using TNICs |
20050114663, | |||
20050201073, | |||
20060015781, | |||
20090021907, | |||
20130283045, | |||
20140241203, | |||
20150222500, | |||
20150381578, | |||
20160241293, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Mar 15 2020 | VORBI, INC | Providence Interests, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 055215 | /0492 | |
Jul 10 2020 | Providence Interests, LLC | (assignment on the face of the patent) | / | |||
Jul 10 2020 | JENKINS, BENJAMIN L | VORBI, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 053175 | /0088 |
Date | Maintenance Fee Events |
Jul 10 2020 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
Jul 21 2020 | SMAL: Entity status set to Small. |
Oct 28 2024 | REM: Maintenance Fee Reminder Mailed. |
Date | Maintenance Schedule |
Mar 09 2024 | 4 years fee payment window open |
Sep 09 2024 | 6 months grace period start (w surcharge) |
Mar 09 2025 | patent expiry (for year 4) |
Mar 09 2027 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 09 2028 | 8 years fee payment window open |
Sep 09 2028 | 6 months grace period start (w surcharge) |
Mar 09 2029 | patent expiry (for year 8) |
Mar 09 2031 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 09 2032 | 12 years fee payment window open |
Sep 09 2032 | 6 months grace period start (w surcharge) |
Mar 09 2033 | patent expiry (for year 12) |
Mar 09 2035 | 2 years to revive unintentionally abandoned end. (for year 12) |